A Russian hacker calling himself ZonD80 has stirred a whirlwind of controversy by creating a website you can use to make fraudulent in-app purchases on your iPad or your iPhone.

An in-app purchase is a way for developers to make money beyond merely charging for their apps, and it's a popular - and user-friendly - way of offering chargeable content.

If you've come up with a complex game, for example, you don't need to charge full whack up front and hope that people will be willing to buy it before they've had a chance to see if they like it.

You can sell the game itself for a modest fee, or give it away for free, and then sell new levels and extensions from inside the game itself.

ZonD80 has cheekily named his site the in-appstore. His scheme exploits a cryptographic weakness in the protocol used by Apple for processing in-app payments.

The in-appstore tricks an app into conducting what it thinks is a purchase from Apple, but is, in fact, a transaction with ZonD80's site. The bogus App Store then returns a bogus "purchase receipt" that the app accepts as genuine.

The good news - at least for law-abiding, bootleg-copy-eschewing users - is that you can't stumble into lawless transactions on the in-appstore by mistake.

You need to reconfigure your iDevice so that it avoids the real App Store, and so that it trusts the imposter site. This involves:

changing your DNS settings so you'll be redirected to the fake App Store.

(You read that last bit correctly: for this to work, you need to undertake voluntarily the sort of device reconfiguration that the DNS Changer malware wreaked surreptitiously to bring you under criminal control.)

Once you've made your crooked purchase, you reverse the changes so your iDevice performs normally once again.

Early reports on ZonD80's exploit suggested that strict receipt checking - in particular, validating receipts with your own server, not just with Apple's - would give programmers a sure-fire way to protect their in-app purchases.

But although self-checking your app's receipts seems to protect your revenue for now, further digging suggests that it isn't a permanent fix.

ZonD80 has even published a helpful diagram implying that a future enhancment to the in-appstore will let you defraud even those developers who operate their own validation servers.

This is a pretty big blow to Apple - especially at a time when it is facing criticism for some of the stuff it lets into the App Store in the first place.

Indeed, although the fruity company is normally silent on security matters until it has actually published a fix, it has already commented publicly on this issue. As Apple-centric news site The Loop reports:

"The security of the App Store is incredibly important to us and the developer community," Apple representative Natalie Harrison, told The Loop. "We take reports of fraudulent activity very seriously and we are investigating."

That may not be much of a response, but - as John Milton famously and poetically observed on going blind - they also serve who only stand and wait.

When it comes to actually fixing the problem, however, it looks as though Apple will need a better cryptographic protocol, and as though developers will need to adapt their applications accordingly. If that's the case, let's hope that App Store approval for any needed code updates will be quick and easy to obtain.

By the way, reports suggest that tens of thousands of dishonest "purchases" have already been made through the in-appstore

May I suggest that you control any urge you might have to join in?

(Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead.)

This has already been done MANY times before with a much lower level of sophistication. Just look at iAP Cracker or iAP Free. I have not fully checked this out yet, but I am sure it is of higher complexity and can do a bit more than iAP Free since it is actually creating actual fake receipts to Apple, but it seems like they both have the same purpose, do they not?

"... Especially if your excuse is of the they-can-afford-it-why-should-I-make-them-even-richer sort. If you really are that strongly opposed to commercial content, you should avoid it altogether and actively support those who offer their stuff for free instead."

All these "holes" are due to the quality of the code and bad software architecture. Today's programmers have FAR FAR less quality in their code output comparing with that from a generation ago. They are lack of training (a combination of themselves being less intelligent and their bad computer science instructors in the college), and companies who hire them do not impose good quality control on the products either, because those software development managers do NOT know how to do it.

Microsoft is the #1 example. Years ago, only second class programmers worked at that company, the better ones were at Sun Microsystems. Now the "good" generation of programmers are all close to the retirement age. The new generation is far less competent and they are sloppy on their coding. Software developers at Apple Inc. are no exception. Apple should do annual re-certification on all their software developers and weed out those who failed the exam.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog